Malware Analysis Report

2025-03-14 22:06

Sample ID 231212-c8qe9sehg6
Target ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe
SHA256 4c60260f51e6cba1b0276210a1f38140d11ed66404f339a672f7814f6e08c66e
Tags
dcrat djvu privateloader risepro smokeloader zgrat up3 backdoor google discovery evasion infostealer loader persistence phishing ransomware rat spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c60260f51e6cba1b0276210a1f38140d11ed66404f339a672f7814f6e08c66e

Threat Level: Known bad

The file ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu privateloader risepro smokeloader zgrat up3 backdoor google discovery evasion infostealer loader persistence phishing ransomware rat spyware stealer themida trojan

RisePro

Detected google phishing page

Detect ZGRat V1

ZGRat

Djvu Ransomware

DcRat

Smokeloader family

Detected Djvu ransomware

SmokeLoader

PrivateLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Deletes itself

Themida packer

Reads user/profile data of web browsers

Drops startup file

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Enumerates physical storage devices

Program crash

Modifies system certificate store

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 02:45

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 02:45

Reported

2023-12-12 02:47

Platform

win7-20231025-en

Max time kernel

62s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected google phishing page

phishing google

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\93D9.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\93D9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\93D9.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\C64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eZ0Gi05.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3377c12a-91e1-4985-b78d-00fd8a93f989\\A8C0.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\A8C0.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\93D9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93D9.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{97FD60C1-9898-11EE-8F6E-4E210DC4A102} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{981C52A1-9898-11EE-8F6E-4E210DC4A102} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{97F8C511-9898-11EE-8F6E-4E210DC4A102} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93D9.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bq58Lc2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bq58Lc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bq58Lc2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bq58Lc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bq58Lc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bq58Lc2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2788 N/A N/A C:\Windows\system32\cmd.exe
PID 1252 wrote to memory of 2788 N/A N/A C:\Windows\system32\cmd.exe
PID 1252 wrote to memory of 2788 N/A N/A C:\Windows\system32\cmd.exe
PID 2788 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2788 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2788 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1252 wrote to memory of 3052 N/A N/A C:\Windows\system32\cmd.exe
PID 1252 wrote to memory of 3052 N/A N/A C:\Windows\system32\cmd.exe
PID 1252 wrote to memory of 3052 N/A N/A C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3052 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3052 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1252 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\93D9.exe
PID 1252 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\93D9.exe
PID 1252 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\93D9.exe
PID 1252 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\93D9.exe
PID 1252 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1252 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1252 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1252 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2924 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1252 wrote to memory of 684 N/A N/A C:\Users\Admin\AppData\Local\Temp\B0CD.exe
PID 1252 wrote to memory of 684 N/A N/A C:\Users\Admin\AppData\Local\Temp\B0CD.exe
PID 1252 wrote to memory of 684 N/A N/A C:\Users\Admin\AppData\Local\Temp\B0CD.exe
PID 2956 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Windows\SysWOW64\icacls.exe
PID 2956 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Windows\SysWOW64\icacls.exe
PID 2956 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Windows\SysWOW64\icacls.exe
PID 2956 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Windows\SysWOW64\icacls.exe
PID 2956 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe
PID 2956 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe
PID 2956 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe
PID 2956 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe
PID 1388 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1388 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1388 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1388 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1388 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1388 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1388 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1388 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1388 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1388 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 1388 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe C:\Users\Admin\AppData\Local\Temp\A8C0.exe
PID 2064 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe
PID 2064 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe
PID 2064 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe
PID 2064 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\A8C0.exe C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe
PID 2788 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe
PID 2788 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe
PID 2788 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe
PID 2788 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe
PID 2788 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe
PID 2788 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe
PID 2788 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe

"C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\87E5.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8A08.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\93D9.exe

C:\Users\Admin\AppData\Local\Temp\93D9.exe

C:\Users\Admin\AppData\Local\Temp\A8C0.exe

C:\Users\Admin\AppData\Local\Temp\A8C0.exe

C:\Users\Admin\AppData\Local\Temp\A8C0.exe

C:\Users\Admin\AppData\Local\Temp\A8C0.exe

C:\Users\Admin\AppData\Local\Temp\B0CD.exe

C:\Users\Admin\AppData\Local\Temp\B0CD.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3377c12a-91e1-4985-b78d-00fd8a93f989" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\A8C0.exe

"C:\Users\Admin\AppData\Local\Temp\A8C0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A8C0.exe

"C:\Users\Admin\AppData\Local\Temp\A8C0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe

"C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe"

C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe

"C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe"

C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build3.exe

"C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build3.exe"

C:\Users\Admin\AppData\Local\Temp\448.exe

C:\Users\Admin\AppData\Local\Temp\448.exe

C:\Users\Admin\AppData\Local\Temp\C64.exe

C:\Users\Admin\AppData\Local\Temp\C64.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eZ0Gi05.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eZ0Gi05.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1468

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.epicgames.com/id/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bq58Lc2.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bq58Lc2.exe

C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build3.exe

"C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build3.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1040 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4WM287so.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4WM287so.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5TN3BC2.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5TN3BC2.exe

C:\Users\Admin\AppData\Local\Temp\BB59.exe

C:\Users\Admin\AppData\Local\Temp\BB59.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {255C085C-5ED4-43F3-BFF4-06ABCE9E1F1E} S-1-5-21-1861898231-3446828954-4278112889-1000:PTZSFKIF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\243A.exe

C:\Users\Admin\AppData\Local\Temp\243A.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\3432.exe

C:\Users\Admin\AppData\Local\Temp\3432.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\43AD.exe

C:\Users\Admin\AppData\Local\Temp\43AD.exe

C:\Users\Admin\AppData\Local\Temp\is-G2DN7.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-G2DN7.tmp\tuc3.tmp" /SL5="$106C0,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\460F.exe

C:\Users\Admin\AppData\Local\Temp\460F.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 104.21.42.224:443 edarululoom.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
UZ 195.158.3.162:80 brusuax.com tcp
US 38.47.221.193:34368 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 185.196.8.238:80 185.196.8.238 tcp
US 172.67.139.220:443 api.2ip.ua tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 genesiscarat.com udp
US 8.8.8.8:53 zexeq.com udp
UZ 195.158.3.162:80 zexeq.com tcp
RU 92.118.112.94:443 genesiscarat.com tcp
PA 190.219.136.87:80 zexeq.com tcp
RU 92.118.112.94:443 genesiscarat.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 alata.com.sa udp
US 192.185.30.176:80 alata.com.sa tcp
PA 190.219.136.87:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
DE 5.75.211.54:1993 5.75.211.54 tcp
DE 5.75.211.54:1993 5.75.211.54 tcp
DE 5.75.211.54:1993 5.75.211.54 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
DE 5.75.211.54:1993 5.75.211.54 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.facebook.com udp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.147.35:443 facebook.com tcp
IE 163.70.147.35:443 facebook.com tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
IE 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
IE 163.70.147.35:443 fbsbx.com tcp
IE 163.70.147.35:443 fbsbx.com tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 accounts.google.com udp
BE 64.233.167.84:443 accounts.google.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 community.cloudflare.steamstatic.com udp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
FR 216.58.204.68:443 www.google.com tcp
FR 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.201.110:443 accounts.youtube.com tcp
FR 216.58.201.110:443 accounts.youtube.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 store.steampowered.com udp
BE 64.233.167.84:443 accounts.google.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
FR 216.58.204.68:443 www.google.com tcp
FR 216.58.204.68:443 www.google.com tcp
US 184.73.65.24:443 www.epicgames.com tcp
US 184.73.65.24:443 www.epicgames.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 92.123.241.50:443 store.steampowered.com tcp
US 92.123.241.50:443 store.steampowered.com tcp
FR 216.58.201.110:443 accounts.youtube.com tcp
FR 216.58.201.110:443 accounts.youtube.com tcp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.129:443 twitter.com tcp
US 104.244.42.129:443 twitter.com tcp
US 8.8.8.8:53 store.cloudflare.steamstatic.com udp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 151.101.1.35:443 t.paypal.com tcp
US 151.101.1.35:443 t.paypal.com tcp
FR 216.58.201.110:443 accounts.youtube.com tcp
FR 216.58.201.110:443 accounts.youtube.com tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
BE 13.225.21.174:80 ocsp.r2m02.amazontrust.com tcp
BE 13.225.21.174:80 ocsp.r2m02.amazontrust.com tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
BE 13.225.239.119:443 static-assets-prod.unrealengine.com tcp
BE 13.225.239.119:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 tracking.epicgames.com udp
US 52.203.233.59:443 tracking.epicgames.com tcp
US 52.203.233.59:443 tracking.epicgames.com tcp
US 104.244.42.129:443 twitter.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 185.221.198.96 tcp
MD 176.123.7.190:32927 tcp

Files

memory/2032-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2032-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1252-1-0x0000000002970000-0x0000000002986000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\87E5.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\93D9.exe

MD5 29ef6f6fe474334c2a9b901ca583a2c0
SHA1 89a6de61d2da706a5f5b96e6570a5f77227a7f2d
SHA256 c02ef10bc92b8231de6ad49ccb432e6b4904f124cbddb4f29a50623234f54fe6
SHA512 8de4d467aabf31e723c5a1c31b229a5501c527f3cb0355d2f5deb0fbfcc02c09700083a98478c65b4a5de3b3eaed2adde811707b261259e20172b553ec85427f

memory/2568-30-0x00000000010D0000-0x0000000001B9A000-memory.dmp

memory/2568-31-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-32-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-33-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-34-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-35-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-36-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-37-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-38-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-42-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-41-0x00000000763D0000-0x0000000076417000-memory.dmp

memory/2568-44-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-45-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-46-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-47-0x00000000763D0000-0x0000000076417000-memory.dmp

memory/2568-48-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-50-0x00000000763D0000-0x0000000076417000-memory.dmp

memory/2568-51-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-49-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-52-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-53-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-54-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-55-0x00000000776E0000-0x00000000776E2000-memory.dmp

memory/2568-57-0x00000000010D0000-0x0000000001B9A000-memory.dmp

memory/2568-56-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2568-58-0x00000000006A0000-0x00000000006E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A8C0.exe

MD5 b1fe619f1b2a044b5e25e458f78a23df
SHA1 7f41da8aac90f9862a3459d548bcc7c501677731
SHA256 7593d18ead519f423a938b97a2d3c74fb185cb5584cb36966ff59c553b468b12
SHA512 5e5afd083e4ec4aba970992393fd8573498035dd54658d17230ddc0437f6decfd566990beec69da0719c01bbed0f7d2ab3af7cb08e8b40480d38ab959ab003d8

C:\Users\Admin\AppData\Local\Temp\A8C0.exe

MD5 454440503db62af8520be0827389df6a
SHA1 473f9a477bdb8a408e7fad05e858dbbaa76f1dda
SHA256 b816a1f49cf7a431b9c23d32cb60eb6bae72d88b23b19a861e5f690488b00d57
SHA512 6c7f3847a00033394f5b8adb1fadb177b6103ccd6a9205dd2dad45e550805a0cf8295df2353bbf62ce9e629c3218e6c44621f716ebef23931b34ba4102debc15

memory/2924-65-0x0000000000230000-0x00000000002C1000-memory.dmp

memory/2956-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2924-68-0x0000000000230000-0x00000000002C1000-memory.dmp

memory/2924-71-0x00000000008E0000-0x00000000009FB000-memory.dmp

memory/2956-72-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A8C0.exe

MD5 32301fc549ff80161f75fd03d3feddd3
SHA1 cc97ef896b665bac8523eee3a75f486bfeba1a35
SHA256 9f994d15769218d6b33623a7c6d9bc0831bb955e15c9879e8a6344827341b63b
SHA512 c1d8f041ee58312a50e962edfcea561352d96df6af8a951352c2ea0401b1ad6fc8870bf24a484adf96c3aba6928c084447bd58a1e0a7ed6afdad09f058cd25f2

C:\Users\Admin\AppData\Local\Temp\A8C0.exe

MD5 0da4313c8dc7b18b4b4730dd3018e406
SHA1 8474ac551b867eb13838c6aece791f4ccae705fd
SHA256 801f25ef202bf2be0f789d0e0d18eebf96c153441fd1b670f556f6eeccd63636
SHA512 c693dd80ae9f33116cc1127998cb28889562deb5dbb734dc6ffdbee63bbce3813cf850a8f60ebf32b502fc6d397dfd865e0098fda0186284e5b68eb65b821f99

\Users\Admin\AppData\Local\Temp\A8C0.exe

MD5 fb83ca00241bf4fce131251b302e2959
SHA1 176c07350bcd333fe0ce56fe7a03533226f2b596
SHA256 919fc020dd565b43b786aa1a42292c2ab9b467b41a5da858f223e9d7f7769918
SHA512 c8f2f4f448f2d68fd290ad55942a33af4f7d465294c5690253393f6d21265031e4da1e62b0317c1a021a912b98379e1096505613da58a9aef7ce66bef46f32b7

memory/2956-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-76-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B0CD.exe

MD5 2f1c1a4eaaed0041b71248837fb85700
SHA1 9fda0a5f33b8ccb1ddfb146c6f36093345e7248e
SHA256 202f17a17ae27e24d3996d1b2d942e4b3cdbc80a569c88eae8f84fd183fcf505
SHA512 579f721b216cbed42d3f57e04ffea7a6b83def288d16d15087bc22d106f1ea030b7f15d6d2c2d9089b9d687c23b3b805ced82f2e4555fd81f72dab2e8d2d9a56

C:\Users\Admin\AppData\Local\Temp\B0CD.exe

MD5 d6d18e7a1a4458e2f1d6f75c8ed5b18a
SHA1 de278161b2ca625631a8922bb33c0de8e01afac9
SHA256 864c90e3a5882462c38f4f52cb1f82355e49410892fb056fedba3a5bbf5b5963
SHA512 957ca2ff4bd4743b0083f2f1a9f2357340469aa2aac302fb25546228d779b427bb07366a1aa61b9fcad5e3820a10abbd043315bdf1e8f20395ebb017187aeb7d

\Users\Admin\AppData\Local\Temp\B0CD.exe

MD5 da2bbb2e1d3e3eacf2c71acb6fe05252
SHA1 6db7d3fabbdb96b549b652e58922bb4d464cda3b
SHA256 bb396f297a69cdb56b4def63419ffeee90c7a6f46d5dcb102b98d6ce95efecb3
SHA512 68104b4743f8169ec42a53dcb298433b519f38cb6cb86e42c697bc2aa096aa1ddefb701f23328df61b1c0269b5b34ae6bd311de6733bce0e508c1fc15e3057d9

C:\Users\Admin\AppData\Local\3377c12a-91e1-4985-b78d-00fd8a93f989\A8C0.exe

MD5 4427765f603dcd8c05e257d1485128e2
SHA1 7dcbb40202106217fa9ecb3f327c06f6ec159d3c
SHA256 c44fcac77750b68cc7dee4aa64c248b6eaa3130686bad0e242786ecd46a4008d
SHA512 4ee7be94b26066a21e58a884b45e314bf4933ee49082b8f658649b762697c5d8813075ca356f696fa113e6e27c2a33504cf48e78609f7ead50f0d56115320ff0

memory/2568-99-0x00000000010D0000-0x0000000001B9A000-memory.dmp

memory/684-100-0x0000000001090000-0x00000000011CA000-memory.dmp

\Users\Admin\AppData\Local\Temp\A8C0.exe

MD5 0792634ca6e96a73cb16ae619bd2c854
SHA1 60dfe55b2f9cf3c2fb1a775c7969592419d72096
SHA256 039f8e1132d02ccf702dc05a637e6a6c2df1e3d73f38f473fd762cc1f52ab465
SHA512 65525682529c95f24b9134a7d400839cbfdb4ea04a69e05f3eb6a2c292c3efca36559b56ea7dee3f55c457679d88a4d73e13652af6551715e751beb4c0868623

memory/1388-105-0x00000000020A0000-0x0000000002131000-memory.dmp

memory/2956-104-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD36A.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be882259f1aef4839d9041fc4ea27083
SHA1 3dfae7f469df7d4905e3082955e5397d8d25e71f
SHA256 a36b5c9d731af1d1ec0dde26d4d18861f37e00ca1771e9098db89ed3c902803c
SHA512 eb3c4a35cc2188f5486121e2890c280c1482c7b5c1600d15ae130420a2de53479ea0e639201756a74a0f9c2b3d7c4a55ad92853bfb07a340ce0cefb4b25aa50e

memory/684-119-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

memory/1388-125-0x00000000020A0000-0x0000000002131000-memory.dmp

memory/2568-126-0x0000000076740000-0x0000000076850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarD4E4.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2064-136-0x0000000000400000-0x0000000000537000-memory.dmp

memory/684-137-0x000000001AEC0000-0x000000001AFF0000-memory.dmp

memory/2568-138-0x00000000763D0000-0x0000000076417000-memory.dmp

memory/2568-139-0x0000000076740000-0x0000000076850000-memory.dmp

memory/2568-140-0x00000000763D0000-0x0000000076417000-memory.dmp

memory/2064-141-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarD72B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 68a266baf521ddcb613607b926f24ebd
SHA1 933fdf0eb6b79e88acada45aaabf8eed2aad1037
SHA256 b73a474a9b24ea091c1185a698f2e8994176df5a112e2645b6b57b68133ff70b
SHA512 2f41dc463ea5cc7f18a46650c7c1dfe66097bf09256e1ef1e041d218143f0322fdbdf6cb4afc195a03d31a451cf1ba0348c96e51e9f02e2cdd700ee6eb2beaf3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3e61f1b5c83d57794fb57876a8ce4886
SHA1 d69fb46fde92526ba21a2ee39d9b98445310a71f
SHA256 44c1f59f48fca1dbbcb999232154f060a74d760bdb510accace016de59ed4233
SHA512 1bc86558d62a6730c2ab9b2382d68b5b35feef499b489c595ffc9fc4b776d63c0f23afcaef91b008bee22145d92067c7344d2f45ecc8d78d5bbe64ac1b2a1cdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0d06e7a735242a55fb5881dee31eafbc
SHA1 cc0363058301e013a8f93129900f3a7d2bb32778
SHA256 bc93fbbd723b56587940f7b2bfe208342abe4c64727892b3e817f5e196a098d7
SHA512 ddcf477286b0c4ca62c50a81576df9fc0703478260ab172209a862a7917be5b5a9eb2479048cdeb4087a8d013ca80e83133b87268b091c56eaccd2a51884fab8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 473cd0be0e4a71d6563134939046bd11
SHA1 295e68b58a99951c3c118df7b80555a8c1cc51c1
SHA256 c300f8406b79659ad52e6cd465a7467b8756be04427ea986ef2b5fc1637a8333
SHA512 ee47d281d7d9a6ad50d384bdfef3993be851adcfeccbd36b531f29217e9454581c1370aea815ec2223d888620ddb58d46dd5a100df660d9eb3d59cba269a035b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c8a9186d593824bbf6b954c42235fd9
SHA1 15e710276acb263125027f22ddc8eeef26d02218
SHA256 ae85f3128f704823c8933a169b796d1fad9cafc4d9729394c475eed14fa34f62
SHA512 ac384a10a76ab64a30bbd07dc8399005c286a1f82bc68e4b7fec36f5c458d4d76dcb3f4639eb3d6339072fe3e52b3788c3332d2220a79601f0b5856e472b0044

memory/684-202-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-203-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-205-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-207-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/2064-209-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2064-211-0x0000000000400000-0x0000000000537000-memory.dmp

memory/684-210-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-213-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-215-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-217-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-221-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-219-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-227-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-225-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-229-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-223-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-233-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-231-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-239-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-237-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-243-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-241-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-235-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-245-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

memory/684-247-0x000000001AEC0000-0x000000001AFEA000-memory.dmp

C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe

MD5 2449def686158fff9801f567489d9c1f
SHA1 a26a611f6c8f43745d69a6138e07f8f32b09fa3f
SHA256 4230571aea510591a55384cedd110eb4c220014ccda30d2d7018dcee89c7770b
SHA512 9fe324902e5c31e6db664b40074ffcc03cd1c13606e9e6c4e156e71cb89d1e234477454df3debbccfe5b9e2c88b52e6e8f7746832a6f2f4d4ad6a9eb0d75000b

\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build2.exe

MD5 48afa92edeb79f0c230b3d9f01efc1b9
SHA1 d100579b6d4655d190aad5db89067477e45c2359
SHA256 ef757119e8206416de7d4a94480a25ee295ed9a61b05742285cd9c2b999aab49
SHA512 e1d4caf8fd679ad02ac14dba9c2ba40c36ae9594e69545a346b11dda44c9cf863ebf5d71124be95ccd9d3748164d0db4455f0709bc2503cd3d8cda83955d8a1b

memory/2568-304-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2788-307-0x00000000009D0000-0x0000000000AD0000-memory.dmp

memory/2788-310-0x0000000000220000-0x000000000024B000-memory.dmp

memory/2568-318-0x00000000006A0000-0x00000000006E0000-memory.dmp

memory/1676-319-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\448.exe

MD5 7fd833fd8013e24a5a6c48e6d6d43141
SHA1 b521f9c5960da27fa5ae4ed6d523c8d16bc83149
SHA256 bfb797fcd7eed00c868a46413a1d73456a8a1ecea43257620431f44b514a7466
SHA512 eeddc784179ed7142ac3729284474b2f161ebe66f90239838883ecae81b0eb0aba6352d728c2c31077529d4e4f7a99ec4d0253d49be3b47c32e24e78b38ee379

C:\Users\Admin\AppData\Local\Temp\448.exe

MD5 a5e6b85bbc411e0abed16323c7856bc9
SHA1 d3fed13c60b555b5e61cccd9dfd22dc13cda3615
SHA256 12f0c4858129fa964922579e50a63a43530055b4b1fe336bd5276e22633674b0
SHA512 8d9925249aabb8d57c5b0e19fb1af41cb115a273fbdbf56165a4550aa7f77d6b2c6001c680330518691862dac9b4909e623f7e43c667bac965545fa94a2274a9

memory/2180-897-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2180-910-0x0000000000CC0000-0x0000000001176000-memory.dmp

memory/2180-921-0x0000000005040000-0x0000000005080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C64.exe

MD5 01134a83fefd4224c3ba6dbf527cec76
SHA1 e806ad888313f9334bf6f04f730dc4b7d46f9ed4
SHA256 9fb7f3f0cadee833ac0cac9b91efcd8d50085dcb93d99758a2ac483e7b7b6379
SHA512 07c27bfafa1a1e98f2f710dbf1f740d6faec8304ee590fc8035d171dc41fee0f20b4bd48f200412c8c976098051eecb83030d57afa9c6e2029aa412173637cf5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe

MD5 8e3dd01a4296f80b2319cb7f38894f6b
SHA1 8f741373049828d3de4462ba69119a5bf55e372c
SHA256 c353ac92b4a279e49fe1430d2fb065539e19edddab858132c2be2263a52a8bfa
SHA512 5c480b71be27292623e48131a87cc3c61c57989e0168a94c49a34b65f204d347bb82b0bed4b7188ce60af18b53be045ad396d9d7060f70a3eb52f5ee4b5be78a

\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe

MD5 4dc47c68136806351032c7c16da152c2
SHA1 60b998fe1991c438a98ce8ece3c1b42e3934ec93
SHA256 9ec1857e93c4b9b26d440593d1d8d9d0078dcc42e3258ab19569d950fa06cab3
SHA512 a5f7afa2a2be807a37c06a53dc2e7975dccfe9ff1f8467615ba0bd483b892889a9d7e75d6d0a931b3bf970a757349782ad2110e8b406b7c493d99daad1ede080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe

MD5 8f5a33bbe6119b9c9a4de9c0f6a21240
SHA1 b3f6dd606a93028d14f2d0b5408dace1a79ffaa2
SHA256 9ea7dcf067e8de315c759e44623533c075c224df8f7e4b1b22e4613ca7f969b2
SHA512 293606446f7e8322a34329842fe22658e5264a58246d9da72bc54200b0115c137ed8e67982fd669831d2d5abdeb934222d4736a450b7a1b74af7466c12a9d773

\Users\Admin\AppData\Local\Temp\IXP000.TMP\FM4kQ16.exe

MD5 8242114b264995e882fae659af2a2b72
SHA1 202c9d8682ac663a27030abb6b2648ecf4ca43ac
SHA256 055cd144c355154ba0f23d73c49829cc91292d78c643d801f8b7f911b65f302c
SHA512 d2e7727e18739b4ce5d4c250260f7cafadc212028f84647508dde5732cff38770def8897613c63d911661e788352547f8bc057eb68c72cfaefd9df0e6d7479af

\Users\Admin\AppData\Local\Temp\IXP001.TMP\eZ0Gi05.exe

MD5 58a7f017797293dd5ae60d8d50073fee
SHA1 a1b35fe5ed504edd93975bdaecb209eb9f2214f9
SHA256 8dd7f8485470700d11e3a4f61ccd6af56d80e39ed615032b4b3d5de44466929b
SHA512 3d7854bb9e30b28175088d37b3c6558f7f2648fac185e483007dbd0421bf565fd4432437d435620b16cad6ec29c3f8a226d0c5177268591c88616726647fc1d6

\Users\Admin\AppData\Local\Temp\IXP001.TMP\eZ0Gi05.exe

MD5 1fe275b9ad4972dad199dad064ee30c5
SHA1 df7a6a878fd289fa8a3c43a4a499fe4245c5724a
SHA256 4e9b474c5177e5312a59ba841b0cf5bb6762aa524087171fcdee87706f2a8ccd
SHA512 1e0f2a77786104338887bd1090215e6f5919721c764ce62ce0b8515c48197b7892cc0b6a222023cfef262d267d4c9dd4741a1285b8b5ac2a74fdea4ef8c77fdc

C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build3.exe

MD5 7b534d8aa6d34c0642ee2c65a3410198
SHA1 ce1327daa8b5e880c291431a5c9cbaff60ca9bfd
SHA256 84cbe578d307a9e7d34d3d6416396de6bdc7afe6fab25e5cf0745c576dd60569
SHA512 bf3c57567347d777d89f229e7c45215e9c7950362a36d08678b18b0390cbb5026ffe80b88ea0c4bbeb0f6b48083b72880a669d0f0a124415fc9989efebebff0f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eZ0Gi05.exe

MD5 92b72347ede51f36625d14d09c6c1515
SHA1 0c99dd9a0792ddd043df14d7adaf6ead8245966f
SHA256 06288edc7405a750bf29261812e53b8d7beda08e00b7ede16a336aaf518786ee
SHA512 714e7f4e9848bf9408b85e9a8524da2832ca0e4d0db088b07beb3f41cf7e93bdbd49eabb37ece87d1db9f963bfdc6cc07bfeaca87c6f9e3791dbc14b26d0dc59

memory/1612-957-0x00000000002F0000-0x00000000003F0000-memory.dmp

C:\Users\Admin\AppData\Local\f352e35f-68b8-4d3d-abe1-d2bf2b0978b0\build3.exe

MD5 339e1d54f4ee0be745eff93cbdd61363
SHA1 a210dd801bcf4b830fee84a8c1695d94e6a3a89f
SHA256 022b3bf1d9eb6b7dbb307afc43f6547335ea74b6980c8be1407551450b863943
SHA512 2f394672618b4ae79a3dc0ea7434fac08f76a1acb17d4b4fa348aafc45410120a53905d895ed4ec6107f92d755c42a2141cff1bbabfd2f9e671233e457adb61b

memory/1612-959-0x00000000001B0000-0x00000000001B4000-memory.dmp

memory/684-970-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe

MD5 cd964ba5997189d5972d5895e5ddd257
SHA1 f3e4ba6958da8c4d2e869420a456370f2d636f0f
SHA256 eeb9f5164cad6d24eaef887100a75837b218d9c6167a98bb6515a2916e10d287
SHA512 ebecdcece6a8fbd9eabe158356686552c1de79a9a7bc14a04a5672e400ee6d7a521075ca6c1c1fd8eed55b61307109e0495a3e80096f5ba6fd887789e5d91b65

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe

MD5 a058d063858696b2958183933b4f25e3
SHA1 8bb9cf977f97603b907735c3c8c60d2b4d433f5a
SHA256 65f59cc5cf18d250f794f3679174d19cbe0656622c26cba4518cc8c9919d166e
SHA512 2d4ffed61cb5d7a7ae49ebf9eb93ef48f8eb44ade93fa84b0a14b9ec414a427a27764dac8dd5f6a76733e0b3b3db4a3c75da38ae072e2a4dd8f4cfd7631a6b30

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe

MD5 dcdcf50282c7a0747d4feb37c07b0070
SHA1 638322dda1d9db32425cd8f40b7069c4875a6899
SHA256 4dbc5913edb7b3aee64807120cd61bd6f97c713b1b95a0f73e16411fb1ad162d
SHA512 2f9535f801fd4c15025b50919ef0513a95a8df2020aaee741b477f49c0f224bb8115d7074f94e053f1b0aab084c67d801f525bc3d4ab9aefeb86f39873e2e144

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe

MD5 7a38ee8abe1bc71171efb71650bfc718
SHA1 519585d53a9a6791e61591822d472827b22dab09
SHA256 8cac8fd4730fc491e2e087ced2697392b97a8139719f8c1bbb59842e3df161db
SHA512 f83980edca2cd20cfbc2af6194735c271bcb989548259fdb1c7287bf6690587ea21e80d41342286fbe29e455bce3ee02b5ebee8285adc2f4f8de09644936c23f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe

MD5 62489e119d9d5d46e8808614cb414d0f
SHA1 98ec7d2c3cbc095960d4c86656c93851df0d9d9f
SHA256 0a3692bc1949d0a8e67f2b4b999dec313a1edcbe21b405656c8d3c826db6336f
SHA512 673e062ab119592089adc407a16915c5b949d2d038f937e167dfe8f572e0f15ad0602fbfa51d8f2706b0d7b4fcf888ca587755cf2683c1de885d92970deca9ca

\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xb5954.exe

MD5 b7769bf4df44272198bd94cf86b3dc5e
SHA1 0b19dbb3686f56199978d4d4bcfb7ec7e5cd8f40
SHA256 30ba4bf97cfcc1ffc1fa04f2e0f85ad8319e3edfa6dc9f5de730d10d4057dacb
SHA512 644764a716c7ae33e099447a270ddfb73fd757d9aa0341e206b25453df8c3f79ac87c22f086475dcfa8751e3227a769390fb96c8d18808df603be0205ad77e57

memory/2388-971-0x0000000000400000-0x0000000000406000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bq58Lc2.exe

MD5 da153f14f4b4fbfac02c2a514fd478f2
SHA1 7869228bd5bdf431d5a5517e87438f2d90bf8f13
SHA256 903d44a84c8a56e0f12b79c21bfbc3d108fe4c7f09a4972ddcdcfaa22eaf9de6
SHA512 b1965b394c88c2bf59da5f80af53a7bc47545148b394e4d783e787b97cdb1dee821ccbf453f5a9260a9232a9a29ce93a8303396de40a3c14e2833993fbde7b6d

memory/2668-987-0x0000000001000000-0x00000000010CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bq58Lc2.exe

MD5 d6d8c4fa2b2cfa0d94770c54671b67df
SHA1 d6ec506e450785bec1d0e7e7be87781678c5059d
SHA256 7b66e30e3337a5a48ca63c3dcc865e310824bc82462bba6950b01b0a40833755
SHA512 ed86da1a0d769dd5ccc298ca4bee46913158122f04cbd25325856ae21f5fe0351736c54b4783bcf313e51c7a45decaddd899f5c180f5d8f6ae9f5345a49293d5

memory/2668-994-0x00000000024E0000-0x0000000002675000-memory.dmp

memory/2064-995-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2668-996-0x0000000000400000-0x000000000090C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eZ0Gi05.exe

MD5 a1ab3d9b5819dfd54181d3c260ad23a7
SHA1 293743ab4b6f5634ca19837872498e2dd4789851
SHA256 b563dc2a0be9c905f354be7f71dfc271a3849915de624e10ad727880ca2745b7
SHA512 eccf05f8951c6aab25582a020c74cc7e755b150dec871cabfe22b3142304f12f3f7d7dc646f4877aa360ecb200031ab5d38319d8565526c8fed74c4a223eda80

\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{97FD60C1-9898-11EE-8F6E-4E210DC4A102}.dat

MD5 4b137bd080f05317c61a5e1f27c1aa63
SHA1 815996ad98832d6e02d040557f1bc9fbb9cc2167
SHA256 696d79a1d785233e1f97e99b582e70b44e2ff6e5bb717fdd96d031cf7468ef96
SHA512 3553136091f4798720f477de551def664f3006011aeb91adc97a80d02121a4d7891d0b6fb7faaecb37628de45920f90fa53c687e9644035f8d219ffbdf8b6c5a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 c6ca937c06de085a0436b0b963d729ba
SHA1 8723a59aa5ced58762f6a5fae1bebf58ff890b24
SHA256 4120fcc98d2318488dca1e5a7c3a395142f32d15c47264f554ebd716956372f1
SHA512 1f8bef10fe79bdd5e834136662c91312141a34d7047b2466b6130e10b06844511b72b9a1632ca128cc598bac2aaee603a5dae5b6cfe9780f506c7a16544a06b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed0b5ead5235072a772020c54cf8cd84
SHA1 7c2c353ae1edadaa962ca833f8868aa1557994c9
SHA256 54a08cf4ec06b12e4f6a93434f6036f5b08e8e937799194a2d53af2aa9c373c2
SHA512 ead345c52ff230ab2eb6735c6192565bc17b71571b000a3e6733ff9acfae506f5733bcd780d8e6f59f2c0e698eba4c2aaa9fddd4b3ca155645208bdc99d8dfa3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cd15f60e8baa046f073f79a02f02acc
SHA1 1512058345ccfde8ec5105079fc1552b2b230ea1
SHA256 52f147a48f1d16fdb1a3761dbff7e96d04ac1a4b9755e7834bb9518f02f4db46
SHA512 e6e6cd4e6df0d9b645056e742143d504d7c8c906c477fff511d8e248b4588e3b20125ad7f4cb1a183cea3620c79a3e9fee55fb8f4aa5f3aca6767bc1996db0f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 27c7be9746c904ec0a4d238e6ffbc36a
SHA1 ce8b9fbb09791e940b5e6b9f191d9eb32da729b5
SHA256 de83a7f002fbc605f382f32bdbbcdeefbfa6627b60ba2e36529fcf00166fe5b8
SHA512 c91c60f5e4c154980a29c7a02454f4057a075cc3a7b4cd3b6aa3763bd92facb3a630e055f1b0c1b420289b09de09382b6ade650ae286d3978adcddf5e92070d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 014e236e989270b026b15a2a202eed8e
SHA1 c50dde7a5b5c91358200b03b4c53c7f5df37f418
SHA256 2156fef0f69eaac402c7e65dc810738874a4f0533100227f5961afe72a34cc38
SHA512 9bfc2468127493e80943e5c17f39cf3c57b54b1b82af4be77a0b76cdd24349683e3b5cd9b9ec06007bd1c1b90358e4922c85f5c42cfb7a69828a5d4da9546198

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 6df6c9a37b49d29922ba8787e57bc28c
SHA1 f5ee7d0f0f134b139a517fdfce09e4fc9d376d13
SHA256 ec54c420529e30e17d896b66b23d796b4dbe9553b605fb9b4674a4528d91da26
SHA512 ad9b1330fd6142b427bdd7802cbfc9e6fbb1f3d69d7fed84950e2e5d703477b41ae7480028436755ee460c5d3d882fc7acb7b6b999206dc2989aeddd4b846b77

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/1676-1463-0x0000000000400000-0x000000000063F000-memory.dmp

memory/2180-1476-0x00000000054A0000-0x000000000565C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grandUIAiWoF0j_RXoEXC\information.txt

MD5 a2d153a79539860c119fd822b57a0a6e
SHA1 73784cd1821310270b3fe140690bf96f6d96563c
SHA256 8187e3c374a87632d0ca32909f9772e77725c1de344a03752f2d906276aad3e0
SHA512 84a4522ddfa44563df0d8861ab5558a5681781091c787bd05059504a8c0c2da460765265fd166252ea6b2559431adecfde1066b82f9cbfcca4aa3d9d63df9b0b

memory/2180-1616-0x0000000006660000-0x00000000067F2000-memory.dmp

memory/2180-1668-0x0000000005040000-0x0000000005080000-memory.dmp

memory/2180-1669-0x0000000005040000-0x0000000005080000-memory.dmp

memory/2180-1670-0x0000000005040000-0x0000000005080000-memory.dmp

memory/2180-1667-0x0000000000520000-0x0000000000530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4WM287so.exe

MD5 9fa983e16b7460dd4680b90f2abf3fb2
SHA1 aedca076d0e1694c461d0a5a6c54dd6882ea455d
SHA256 7985278cfc2f0bd40bd02452637c78190a8e8f543e109f56eb0b13bd27e2a451
SHA512 8e61e5021e0aae33249be1f42b5f143473963a571160b81eb0f6c4ba478b7a42d4f2b1a9b5d093eb4acf27c48ae56501ba2ebc29371e813482e6d9efbd206a26

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\pagsbca\imagestore.dat

MD5 7b9fcefa6ee0c12b8f6483443ca4995a
SHA1 24e486532483b7a6bac511e3c68fcb8e91d08898
SHA256 b66bd6e5973e8e49b26239e956286a216425b0e3979a5138def327b7b175f6a3
SHA512 ddca7889a7bab8d5d521de4063a6b352308522216c992edaaf69d96be7d609c4b8dbe58d46c8f327a3be941ad73307da4732102b757c54c5329e77458598bbf7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\favicon[1].ico

MD5 231913fdebabcbe65f4b0052372bde56
SHA1 553909d080e4f210b64dc73292f3a111d5a0781f
SHA256 9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad
SHA512 7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\favicon[3].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\shared_global[1].css

MD5 eec4781215779cace6715b398d0e46c9
SHA1 b978d94a9efe76d90f17809ab648f378eb66197f
SHA256 64f61829703eca976c04cf194765a87c5a718e98597df2cb3eae9cf3150e572e
SHA512 c1f8164eb3a250a8edf8b7cb3b8c30396861eff95bcc4ed9a0c92a9dcde8fd7cd3a91b8f4fd8968c4fdafd18b51d20541bcc07a0643e55c8f6b12ceb67d7805d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\favicon[2].ico

MD5 f2a495d85735b9a0ac65deb19c129985
SHA1 f2e22853e5da3e1017d5e1e319eeefe4f622e8c8
SHA256 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d
SHA512 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_EC50BC49A28D68A36F5274F1BD1417C1

MD5 8d40fceb734709a662de84d5a82e92fc
SHA1 5a637271aa7d3b55763936dc154330915a7440c3
SHA256 7a18f7ee1a4277a768bc922ecbb25f746c9012ff336acad04bae7f08c28ba970
SHA512 c34b5af305c702dbbff954a2ccaffe205c844985aab2db771aad923dc68b17926b5e627b52ae5f530d7f8a850a4bcb3efa51d4dae551d2137e4378099159a0b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\buttons[1].css

MD5 84524a43a1d5ec8293a89bb6999e2f70
SHA1 ea924893c61b252ce6cdb36cdefae34475d4078c
SHA256 8163d25cb71da281079b36fcde6d9f6846ff1e9d70112bbe328cae5ffb05f2bc
SHA512 2bf17794d327b4a9bdbae446dd086354b6b98ac044a8ee0b85bd72c3ab22d93b43f3542df03d64f997d1df6fc6cac5c5e258c4ec82b998f3a40b50c2fde99b5a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\tooltip[1].js

MD5 72938851e7c2ef7b63299eba0c6752cb
SHA1 b75196bd3a6f9f4dfc1bbf5e43e96874bcd9ce4e
SHA256 e2d4e0e1d3e162fdc815f16dfff9ae9b0a967949f0f3ae371f947d730a3f0661
SHA512 2bb6c03a1335ef9514d0d172a4284d82a29d1783a72306bdcb8af3185d5cd2ff16303355aa4b05086d2fa0b5b7c7159cfa67de4a6175095ff0e68adec2a56ac1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\shared_global[1].js

MD5 f94199f679db999550a5771140bfad4b
SHA1 10e3647f07ef0b90e64e1863dd8e45976ba160c0
SHA256 26c013d87a0650ece1f28cdc42d7995ad1a57e5681e30c4fd1c3010d995b7548
SHA512 66aef2dda0d8b76b68fd4a90c0c8332d98fe6d23590954a20317b0129a39feb9cd3bd44e0c57e6b309227d912c6c07b399302a5e680615e05269769b7e750036

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\shared_responsive[1].css

MD5 086f049ba7be3b3ab7551f792e4cbce1
SHA1 292c885b0515d7f2f96615284a7c1a4b8a48294a
SHA256 b38fc1074ef68863c2841111b9e20d98ea0305c1e39308dc7ad3a6f3fd39117a
SHA512 645f23b5598d0c38286c2a68268cb0bc60db9f6de7620297f94ba14afe218d18359d124ebb1518d31cd8960baed7870af8fd6960902b1c9496d945247fbb2d78

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\shared_responsive_adapter[1].js

MD5 a52bc800ab6e9df5a05a5153eea29ffb
SHA1 8661643fcbc7498dd7317d100ec62d1c1c6886ff
SHA256 57cfaf9b92c98541f769090cd0229a30013cea7cfafc18519ca654bfae29e14e
SHA512 1bcacd0ec7c3d633d6296fff3325802d6352805f0d2cf1eea39237424229ecffad6cb2aee4248e28b1eca02ff0646b58240851a246bbcf0aa1083830d5d9081e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\pp_favicon_x[1].ico

MD5 e1528b5176081f0ed963ec8397bc8fd3
SHA1 ff60afd001e924511e9b6f12c57b6bf26821fc1e
SHA256 1690c4e20869c3763b7fc111e2f94035b0a7ee830311dd680ac91421daad3667
SHA512 acf71864e2844907752901eeeaf5c5648d9f6acf3b73a2fb91e580bee67a04ffe83bc2c984a9464732123bc43a3594007691653271ba94f95f7e1179f4146212

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aaea2735dc4c10458cb2c8dc06ebaafb
SHA1 b23418c00e018e4d2a386c478e1e23956cf930e5
SHA256 3a97f3a00d8e964124a363837577598eabb4f36ecbed8fce40c63d99f35d97c4
SHA512 74573ee4667bfa33b4e406202ffeb937330bfa83e2aaeeaf4b4cb62430ff5228ff0335bc74e3116cc5604943883952fc71e958fbf7362c2adaebd9e6ee35c825

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d5019f03c06c1c7aa43e25717750f9b
SHA1 6398e6d1ca8c4611667b440b25b1340aac995cac
SHA256 e097b1709384a4fd16f89fc59f73fec9eb9169451ba7e68154541808b4cb7fa9
SHA512 f01adcca04e1b183f672f670d0b115236ee9f1da0b7d1b91e120915bd85662eeda4239d10ade348e6e947c2673852593972dba8d18c52c9a990d67f3ea1c32f9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\epic-favicon-96x96[1].png

MD5 c94a0e93b5daa0eec052b89000774086
SHA1 cb4acc8cfedd95353aa8defde0a82b100ab27f72
SHA256 3f51f3fb508f0d0361b722345974969576daef2c7d3db8f97c4ca8e1ff1a1775
SHA512 f676705e63f89d76520637b788f3bac96d177d1be7f9762aeb8d5d1554afd7666cbd6ef22ce08f581eb59bd383dd1971896231264bc3eaabf21135c967930240

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1892b52c54a0d8318bdb6bea19c07f4e
SHA1 570d5dd94b95bdbab788a101d2dbb8e4a146a285
SHA256 05d88909621910e2fe35748d28f810a28d333a062ebb9089b103ba6409a319d1
SHA512 543f098a6e20dc406274e43d56a2b231259ca9dd1f73e7d7294f4b1b68a4a606438c2548261745f5509c66545e3f2cb3e8446aa97226c0061428d0e0f774ce16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e05697a7ab8bf3c5d2fe47b71b2dc71c
SHA1 db1699567e826aa5d5825ca2d4ea69c9fc12c40f
SHA256 23ede2ccc1b18d7550e5cb0ea04c01eb8595df8bb5d2480c63b5c72d0142619e
SHA512 64a9269c528c19bdad400ca35f598fa4b56a52d18286547ae33d4ca216230289ca1fbfcbfcdb2e032fc3d59668791960c238063d3740c9b1438d8dd5993e4b18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 442d630fcd880d1ceecffaf9b94f75d2
SHA1 d62c418c5a94f178032cedd0d5b228e7410ca594
SHA256 f01a87372c40280304582ca822c0140fbaafc8535e61ab2dbba90579df987656
SHA512 678c045f37b55bce2094e6c8aec2e40c9c183b6e7a2caaa727071dddabf2af7e1d7da9bd3594ed452c43ef67926fa887be392572c521ff92e7fc225dcf37d03b

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f81be07058935d224ab3843bff94fec0
SHA1 1a7360901f8cb5017f7a41ca1a6984227b712b16
SHA256 8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c
SHA512 342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdcb3d89fdece76b72d92f22ecd16320
SHA1 1c61e72a86a62e1bada74d610efd7fe3d67cb80a
SHA256 c45f742ef2faf683fcf9f1f19a2680c59e12ee8e87bc43e20a93f431f969e8f4
SHA512 8aa804c23418fef2f4204fd8838079ec1b7a8037404f7f9180823dfe21b55e25a7a613e4c959b0e233e17772d68815730d06fcd329c279b92695de5cebe43799

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c19f196a01e7f36e0cff43dc984ead28
SHA1 12123adcb0444ea4df7471685b3882a8b36b8992
SHA256 de7986f92f674f8f008da10ea78da37f011bb5fbad4857f276917dfc5d61819f
SHA512 bca387a208615ebe37a455fcec53d20f32a8d54c6819a63b1ac7a15ac0ee310e890bcb40081aaf15864eb99f41af716114d757e23a0f7f424c95089164a83bd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4945c715994cac84e282201bbbf91cf
SHA1 ad77c97228ba1d39b65851a02bc28eca86e5e91b
SHA256 8d16c7266ded6b470d564e381e2381391dc675b9418ab57b47357d6acd620028
SHA512 c6961327f3a3e3df91956dc46a32dba902792e32a8ba7d293c6488cc768e2e8e81f8cc8eedf1fcf017224d82422c5f62e8fd66a09a217aa9555c72cf6236b1bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f91b75fe8270a31b6eb44818b5ae692c
SHA1 20baf245bff31a6c4e5212a5835c009020059533
SHA256 ad2f5ba8ee3b818559682b1fe8cb84722467cad17ac75235fc7d5082ac38337a
SHA512 c01632aeccb8a0bd5c71e319100d7d24c200d48079bde14b2b67ab7d565080b35fd037f41f789da5058acf9871ee3867464311b5c52415799b28d1c5ad42df2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d8479ae7eb8c2185cd46889d8c5928e
SHA1 8907c0b1c613dec1d313da2676c2e0914b129513
SHA256 eb655072c6a83533de964eb5d74a32e7d880816b8881ff71c2ef5dcf08efbd29
SHA512 0f3f17cbe8f2ac3862872e4346a38d1c0cb0fd6b37122e054d69fd9c5a5dc70e520f8883b9234c2b9469dbf8a4dc5286606e5321a62844cf4742ea796a4da498

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e43d6923803f6435cf7a8084fae76d4e
SHA1 a67d4d3f6f123c7b8067f83605c7bd671070ba47
SHA256 67ef0b7b688068651138c53c8711d8b37f1b91f6c5fb384c1c93914799ffb547
SHA512 b8e5ad11c79ad80f0705870952fa90b5070df05c1462542ad29ff4da43883f09ad329493f1993ec011b0ff62b605271329ee4aebff4c3edb93ff6de24c78f616

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 02:45

Reported

2023-12-12 02:47

Platform

win10v2004-20231130-en

Max time kernel

150s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe

"C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4428 -ip 4428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 364

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp

Files

memory/4428-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3372-1-0x0000000000B40000-0x0000000000B56000-memory.dmp

memory/4428-4-0x0000000000400000-0x0000000000409000-memory.dmp